The Residual Risk

February 13, 2020 — Leave a comment

Residual Risk is our ultimate goal when we Threat Model, is it? The article discusses what our goal really is and the role of mitigations in achieving it.

Continue Reading...

How to define quality for Threat Models? The article provides some key characteristics that would improve the usefulness of your Threat Models, and as a result would improve their quality.

Continue Reading...

Nothing is less clear than what is Quality for Threat Models, but for sure it must provide an experience that gives you more or at least a different value than what is provided by other approaches. Automation may look like the answer, but it is not. We still need to give proper relevance to the ingenuity of the Threat Modeling expert.

Continue Reading...

Security is my passion and prevention is my mission, so in the last 5 years or so my work has mostly gravitated around Threat Modeling. The notes you read are exactly about this topic and introduce you to the latest experiences and considerations around the art.
This is the first article of a series where I am collecting the lessons learned and new ideas, which are part of what in Microsoft we call Threat Modeling vNext.

Continue Reading...

The Microsoft Product Group responsible for the development of Microsoft Threat Modeling Tool has just shipped the new version, which includes a number of bug fixes and a shiny new template for Azure, with even more stencils and threats.

You can find the announcement here:

Congratulations to the Team!

I have just prepared a new minor release to fix a blocking bug in Threats Manager: the new release has been marked with version 1.5.53.

  • [BUG] Error when drilling down a Treat Type with a name including a single quote character.

Please use the new version instead of the previous one.

You can download the new version from here.

I have to say this loud and clear: I love Troy Hunt blog!

You can find there some really funny yet scary stories about our times. In all the fantastic material you can find there, I have found particularly hilarious and troublesome a couple of articles about current practices around credential management. The first one is quite old, but its value has not diminished over the years : it is about password filtering and it introduces some nice examples about what you should not do.

The second article has just been published, and show some very bad practices about credential management.
I owe you a beer, Troy! 🙂